Critical NetScaler ADC, Gateway flaw may soon be exploited (CVE-2026-3055)

Citrix has fixed two vulnerabilities in NetScaler ADC and NetScaler Gateway, with the more serious flaw (CVE-2026-3055) potentially allowing attackers to extract active session tokens from the memory of affected devices.

Anil Shetty, senior VP of Engineering with Cloud Software Group (Citrix’s parent company), stated on Saturday that Cloud Software Group “is not aware of any unmitigated exploit available for either CVE 2026-3055 or CVE 2026-4368.”

Still, as both vulnerabilities can be exploited in low-complexity attacks and are in solutions that are often targeted by attackers, the company has urged customers to upgrade to a fixed version as soon as possible.

The vulnerabilities (CVE-2026-3055, CVE-2026-4368)

NetScaler ADC (application delivery controller) is a networking appliance used for improving the performance, security, and resiliency of applications.

NetScaler Gateway is a solution that allows users to safely access internal company resources (e.g., apps, desktops, files) over the internet.

CVE-2026-3055 is caused by insufficient input validation and may lead to memory overread. CVE-2026-4368 is a race condition that leads to user session mixup, i.e., may expose one user’s session to another user.

“The Citrix advisory states that systems configured as a SAML Identity Provider (SAML IDP) are vulnerable [to CVE-2026-3055], whereas default configurations are unaffected. This SAML IDP configuration is likely a very common configuration for organizations utilizing single sign-on,” Rapid7 noted.

CVE-2026-4368 is only exploitable on appliances that are configured as a Gateway or an AAA virtual server.

Both vulnerabilities affect NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, and NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262.

Citrix-managed cloud services and Adaptive Authentication have been updgraded with the latest software updates by Cloud Software Group.

Act quickly!

According to the security bulletin, CVE 2026-3055 was identified internally by Citrix during a security review.

Rapid7 and Arctic Wolf researchers say that there is currently no publicly available proof-of-concept (PoC) exploit for CVE 2026-3055 nor detected in-the-wild exploitation.

That said, with security updates now available, attackers may soon reverse engineer the patch and create an exploit. The similarity between CVE 2026-3055 and the previously exploited CitrixBleed2 flaw (CVE-2025-5777) might spur attackers to do it sooner rather than later.

Aside from updating vulnerable appliances, organizations should also consider restricting access to them using network-level controls.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!